rttest2fandomcom-20200214-history
NTLM
The following document will allow you to setup authentication against a windows domain using mod_perl and AuthenHTLM Follow the steps given below for getting NTLM authentication working. 1. Install/Configure mod_perl under Apache - (and get it working of-course) 2. Download the following files for doing NTLM authentication (the following files worked for us) * For Fedora Core systems download the module from http://search.cpan.org/~speeves/Apache2-AuthenNTLM-0.02/AuthenNTLM.pm * For Debian Linux systems, download the module from http://search.cpan.org/~speeves/Apache-AuthenNTLM-2.10 3. Install the module tar xvfz Apache*AuthenNTLM*.tgz cd Apache*AuthenNTLM* perl Makefile.PL make make test make install 4. Edit the Apache configuration and enable KeepAlive KeepAlive On Restart your Apache server. 5. Configure apache to do the authentication. For example in .htaccess add # Enable the Authentication module PerlAuthenHandler Apache2::AuthenNTLM # domain pdc bdc # Domain : Your windows domain # pdc : Primary Domain Controller # bdc : Backup Domain controller. # # Note : Multiple domains can be specified. PerlAddVar ntdomain "OURDOMAIN domainpdc domainsdc" # What should be the default domain PerlSetVar defaultdomain OURDOMAIN # The user names are in the form "OURDOMAIN\user_name". Let us split it. PerlSetVar splitdomainprefix 1 # Set the debug variables PerlSetVar ntlmdebug 0 PerlSetVar ntlmauthoritative off More documentation is available in the accompanying README file in the tarball or the following link Once this is done, the domain user is populated as REMOTE_USER in the http server variables, which can be picked up by any application for doing authentication. 6. Configure RT for external web authentication. In RT_SiteConfig.pm: Set($WebExternalAuth , '1'); Set($WebFallbackToInternalAuth , '1'); Set($WebExternalGecos , undef); Set($WebExternalAuto , '1'); 7. # Configure the apache virtual host to use mod_ntlm for authentication: ServerName rt.example.com DocumentRoot /opt/rt3 AddHandler fastcgi-script fcgi Alias /NoAuth/Images/ /opt/rt3/share/html/NoAuth/images/ ScriptAlias / /opt/rt3/bin/mason_handler.fcgi/ AddDefaultCharset UTF-8 SetHandler fastcgi-script AuthName "Request Tracker" AuthType ntlm,basic require valid-user satisfy any allow from all satisfy any allow from all SetHandler default-handler 8. Restart Apache 9. Add the URL of your RT apache vhost to either the "trusted sites" or "intranet sites" zone of Internet Explorer. You can do this on a site-wide basis via the Group Policy Object for your domain controller: 1. Run "MMC" from Start->Run 2. From the "Console" menu, select "Add/Remove Snap-in" 3. From the "Add/Remove Snap-in" dialog, hit the "Add" button. 4. Select "Group Policy" and hit "Add". This will bring up the "Select Group Policy" wizard. 5. Hit the "Browse..." button, then select the Default Domain Policy for your domain and hit OK. 6. Hit the "Finish" button in the Select Group Policy wizard, then the "Close" button on the "Add Standalone Snap-in" dialog, then the "OK" button of the "Add/Remove Snap-in" dialog. 7. From the Default Domain Policy root, browse down to: User Configuration -> Windows Settings -> Internet Explorer Maintenence -> Security, and double-click on the "Security Zones and Content Ratings" object. 8. From the "Security Zones and Content Settings" tab, select the "Import the current security zones and privacy settings" radio button and click the "Modify Settings" button. 9. This will bring up the GPO version of the "Internet Properties" control panel. Select either the "Local Intranet" or "Trusted Sites" zone as appropriate for your organization and hit the "Sites" button in order to add your RT vhost to that zone. If your RT vhost is not SSL-secured, you will need to un-check the "Require server verification" checkbox before adding the site. adding a domain to trusted sites 10. Hit "OK" to close the "Internet Properties" panel, and then "OK" to close the "Security Zones and Content Ratings" panel. You can then close the entire MMC console. 11. Your end-users may need to reboot for the Group Policy to be applied to them. If you add AutoCreateFromExternalUserInfo to this you will be able to allow users to create and modify and view tickets from the website. Special thanks to http://blank.org/memory/output/rt-ad-sso.html and drupal.org/node/44718 Sites from which I pieced together the information to get this document